Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Firewalls Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
COEN 252: Computer Forensics Router Investigation.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Department Of Computer Engineering
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
Using Windows Firewall and Windows Defender
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 6: Packet Filtering
Access Control List ACL. Access Control List ACL.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Security at NCAR David Mitchell February 20th, 2007.
CPT 123 Internet Skills Class Notes Internet Security Session A.
NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.
Operating Systems Proj.. Background A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Security fundamentals Topic 10 Securing the network perimeter.
Computer Security By Duncan Hall.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Security fundamentals
Working at a Small-to-Medium Business or ISP – Chapter 8
HARDENING CLIENT COMPUTERS
Control system network security issues and recommendations
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Introduction to Networking
Firewalls.
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
Unit 27: Network Operating Systems
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
FIREWALL By Abhishar Baloni I.D
6. Application Software Security
Presentation transcript:

Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007

Opening Statements Common desktop & server operating systems are getting better, but are still not network-safe in their default 'out of the box' configuration. Firewalls can provide security help, but seemingly obvious designs can create problems while adding little value. Most end-systems can be operated in a network-safe way without firewalls, though often not in their default configuration, and not without ongoing effort. People sometimes try to solve problems through the use of firewalls without acknowledging their downsides.

Who wants firewalls? Users want firewalls to protect their machines. But, users don ’ t want firewalls to break applications Network Operators want firewalls to keep attack traffic out But, Network Operators don ’ t want firewalls to prevent monitoring and management, and to drive all traffic to port 80

Thinking About Firewals Firewalls, by design, limit the flow of network traffic. When the limits help fend off attacks launched over networks, firewalls provide real positive value. When the limits cause legitimate user applications to break, or prevent new applications from being born, firewalls provides real negative value.

Firewall Placement Creating large perimeters to protect large numbers of computers with a single firewall is an approach that has some significant problems. Three of these are: 1)The larger the number of hosts on the "inside", the greater the chance that a vulnerability with one of them will be exploited. 2)The larger the community of users on the inside, the more likely that no common security policy will suit them all. 3)The larger the community of users on the inside, the more likely that eventually one of them will become motivated to attempt to compromise another system on the inside, or the security of the firewall itself.

Firewall Placement (1)The larger the number of hosts on the "inside", the greater the chance that a security vulnerability with any one of them will be exploited. May lead to attacks launched from the outside, exploiting vulnerabilities on the inside. For example, a single system with a default administrator password for a service that the firewall rules permit makes the inside vulnerable. The firewall doesn't provide much help here.

Firewall Placement (2) The larger the community of users on the inside, the more likely that no common security policy will suit them all. Users with a diverse set of applications will have different goals and different network services that matter to them (and different network services that they want to avoid!), and so will have different security policies in mind for implementation on the firewall.

Firewall Placement (3) The larger the community of users on the inside, the more likely that eventually one of them will become motivated to attempt to compromise another system on the inside, or the security of the firewall itself. The firewall is (quite literally) in no position to help here.

Firewall Placement Taken together, these three points argue against large enterprise (or campus, or school-wide) firewalls as a simple and general solution to a variety of security- related problems. These points lead me to believe that security is maximized by pushing the control point as close as possible to the resource needing protection.

A firewall for my campus building? If everyone agrees on a single security policy (eg, http, SMTP, and IMAP are okay SMB and Windows Messenger are bad), then this may work. Requires everyone to remain actively engaged, since ongoing changes in the firewall policy will be needed. The control point is closer to the resources protected, so it is an improvement over one-big-firewall-protects- my-campus. But, still has two big downsides ….

Inline firewalls can disrupt net management A firewall between network management systems and the network electronics restricts the ability to monitor and manage those network devices safely and effectively. The simple solution of allowing net management traffic to pass through the firewall only compromises the security of both the firewall-protected network and the central network management systems. One way to address this is to add physical or virtual networks to allow monitoring "out of band". While this works, it add real cost and complexity.

Varying security policy can cause confusion The second downside is related to applications. End stations on the "inside" are subject to a specific security policy that may differ from the security policy of the neighboring building This means that users around campus may have traffic filtered in ways that vary These variations can cause applications to fail for some while they work for others.

Figure discussion Subnet (A) has an open policy, no firewall involved. Subnet (B) has a subnet/workgroup firewall filtering traffic for all desktops, laptops, printers, and servers on subnet (B). Subnet (C) is topologically the same, but may implement a different set of policies in the firewall. Subnet (D) firewalls a set of servers, but addresses desktop and laptop security independent of the firewall. (B) and (C) create “ islands ” around campus, each may vary from the others, each a potential application issue.

A firewall for every device? Maybe. Protection for every device is an important goal. That might often involve firewalls. A firewall for every server seems like a solid idea. And if you can collect a few servers with common policy, that ’ s a win. Sometimes the firewall can be host-based rather than a separate piece of hardware. This scales well and may be more flexible. But there are down sides, too.

Other end-stations protection approaches This is the subject of many good articles on securing computers. Some common measures are: –Use of good passwords on all accounts –Removal of unnecessary network services and limiting permitted services to allow connections only from expected sources –Use of and ongoing updates to virus protection software –A program of regular security updates for the operating system and applications –Manual and automated review of log files that record relevant details of systems activity This is a partial list, of course. Add your favorites here.

Basic Protection Using Network Infrastructure Should campus border routers filter potentially harmful traffic? Kind of like the large perimeter problem, right? Some basic measures at the border can really help. Many networks filter both inbound and outbound traffic at their borders, dropping likely spoofed (forged) traffic. This has clear value and is best accomplished at the router interfaces where a determination about source networks can reasonably be made. Sometimes, short-term filtering makes sense, eg for an attack in progress. If the routers can implement very helpful short-term measures during an active attack, the short-term trade off may be worth it.

Conclusion Firewalls can play an important role in enterprise information security Some topologies reduce the collateral damage risk. Move the control point as close as possible to the thing you want to protect.

Contact Deke Kassabian Related paper available at: